Indian researchers have received over Rs. 5 Crores from Facebook for finding bugs on its platform under Facebook’s Bug Bounty program. Around 205 security researchers from India has contributed since the starting of this program in 2011 and ranks on top in list right now.
Companies from around the World travelled to Nullcon, one of India’s largest information security conferences in the country, which took place in Goa. Facebook among them mentioned that they were here to meet with India’s research teams that valuably contributed to reporting high-impact bugs within Facebook’s architecture, so much so that India ranked top among those that received the highest payout of almost Rs. 5 crores since the inception of the bug bounty program in 2011.
India currently has 205 researchers that contribute to reports errors and bugs across Facebook and their work has put India at the top of a list of 127 countries Worldwide for their contribution. Facebook was looking to personally meet some of these researchers themselves to applaud them for their contribution as well as to explain a few factors which would help them rake in high-stake payouts for identifying bugs and glitches.
As many of these researchers couldn’t make it to ‘Nullcon’, Facebook announced some guidelines for such researchers to be able to prioritize which bugs they should concentrate on and how their reports should be presented to Facebook for better bounties.
Facebook mentioned that it was looking for quality instead of quantity. A researcher should pay close attention to the effects of a bug and what impact it could have if exploited. Facebook says its primary motive is to protect the security of its users and hence suggests considering bugs that would have a high-impact on a mass scale. It is not the complexity of the exploit but the threat posed by the bug that matters.
As mentioned above, you should concentrate on bugs that would bring a mass impact to Facebook’s workings. A team evaluates your report and decides on the appropriate payout for the error reported. Although similar bug reports are paid similarly, Facebook mentions you could be awarded extra if your report exhibits a high level of clarity and detail.
Facebook published in their highlights in 2015, that most of the highest bug bounty payouts were made to researchers that concentrated more on issues centered around business logic and other affiliate processes where the need for information security is higher over traditional security concerns. Paying attention to user centric aspects of Facebook’s offerings allow you to report errors protecting a wider audience, hence avoiding mass-scale risk leading to better payouts each time.
Facebook has put down some guidelines to help researchers understand the bug bounty program, prepare better reports and understand what aspects they could look into. A read through it will tell you that not all ‘Facebook’ owned platforms are eligible for the bounty and that Facebook only requires you to report a bug and its risk in a detailed fashion, not move one step further to exploit it.